Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Upgrade the Jetty Web server embedded in VMware vCenter Update Manager by using a security fix (1023962)

Details

The following VMware vCenter Update Manager versions embed the Jetty Web server version 6.1.6:
  • Update Manager 1.0 Update 2 and later
  • Update Manager 4.0
  • Update Manager 4.0 Update 1
  • Update Manager 4.0 Update 1 Patch 1
  • Update Manager 4.0 Update 1 Patch 2
  • Update Manager 4.0 Update 2
  • Update Manager 4.1
Two security vulnerabilities are reported for Jetty 6.1.6:
  • CVE-2009-1523 (http://jira.codehaus.org/browse/JETTY-1004)
    CVE-2009-1523 identifies a directory traversal vulnerability, which allows for obtaining files from the system where Update Manager is installed by a remote, unauthenticated attacker. The attacker would need to be on the same network as the system where Update Manager is installed.
  • CVE-2009-1524 (http://jira.codehaus.org/browse/JETTY-980)
    CVE-2009-1524 identifies a cross-site scripting vulnerability, which allows for running JavaScript in the browser of the user who clicks a URL containing a malicious request to Update Manager. For an attack to be successful the attacker would need to lure the user into clicking the malicious URL.
The vulnerabilities are classified as Important, according to the VMware Security Response Policy.

The vulnerabilities are fixed in Jetty version 6.1.17 and later. This article explains how to apply a security fix and remove the vulnerabilities in existing Update Manager installations by upgrading to Jetty 6.1.22. The solution applies to all supported Update Manager versions.

Solution

Apply the security fix

 To upgrade the embedded Jetty Web server, do the following:
  1. Log in as an administrator to the machine on which the Update Manager server is installed.

  2. Download VUM-KB-1023962.exe to a local directory.
    Click here to go to the download page for VUM-KB-1023962.exe.

  3. (Optional) Verify that the MD5 or SHA1 checksum of the downloaded file matches one of the following:
    • MD5SUM: 1140cb4f897f8f63d780068f480dac4e
    • SHA1SUM: d5f67eba67bda001bfc2b52c9b1a53d6757b7199
    For more information on verifying the checksum match, see Using Cryptographic Hashes.

  4. To run the security fix, double-click VUM-KB-1023962.exe.

  5. On the welcome page of the wizard, click Next.

  6. To accept the EULA and start the upgrade, click I Agree.

  7. (Optional) To view the log messages, click Show details.

  8. When the upgrade completes, click Close.

  9. Verify that Jetty is upgraded to version 6.1.22.
    1. In a command prompt, navigate to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
      • The default path to the installation folder in 32-bit Windows is C:\ProgramFiles\VMware\Infrastructure\Update Manager
      • The default path to the installation folder in 64-bit Windows is C:\Program Files(x86)\VMware\Infrastructure\Update Manager
    2. Run the command for checking the current Jetty version.
      • To view the current Jetty version in Update Manager 4.1, as well as Update Manager 4.0 and the subsequent update releases, run the following command:
        ..\jre\bin\java -jar start.jar --version
      • To view the current Jetty version in Update Manager 1.0 Update 6, run the following command:
        ..\jre-1.5.0-16\bin\java -jar start.jar --version

Reapplying the security fix after upgrading Update Manager

If you apply the security fix, and then upgrade to a newer version of Update Manager that also contains the security flaws, you might need to reapply the fix.

Note: Before reapplying the fix, verify that your upgraded Update Manager installation contains the security flaws. All affected versions are listed at the top of this page.

Reapply the security fix after you perform the following upgrades:
  • Upgrade from Update Manager 1.0 Update 6 to any version up to Update Manager 4.0 Update 2.
  • Upgrade from Update Manager 4.0 to any version up to Update Manager 4.0 Update 2.
  • Upgrade from Update Manager 4.0, 4.0 Update 1, 4.0 Update 1 Patch 1, 4.0 Update 1 Patch 2, or 4.0 Update 2 to Update Manager 4.1.

To reapply the fix:
  1. After the upgrade of Update Manager to any of the versions listed above, check the Jetty version.
    1. In a command prompt, navigate to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
      • The default path to the installation folder in 32-bit Windows is C:\ProgramFiles\VMware\Infrastructure\Update Manager
      • The default path to the installation folder in 64-bit Windows is C:\Program Files(x86)\VMware\Infrastructure\Update Manager
    2. Run the command for checking the current Jetty version.
      • To view the current Jetty version in Update Manager 4.1, as well as Update Manager 4.0 and the subsequent update releases, run the following command:
        ..\jre\bin\java -jar start.jar --version
      • To view the current Jetty version in Update Manager 1.0 Update 6, run the following command:
        ..\jre-1.5.0-16\bin\java -jar start.jar --version

  2. If the Jetty version is 6.1.6, reapply the fix by using the procedure in the Apply the security fix section.
Reapplying the security fix might result in an error message if an old Jetty registry key is present on the machine
If your Jetty version is 6.1.6 and you reapply the security  fix after an upgrade of Update Manager, an error message might appear. The error message reads "VMware vCenter Update Manager <version_number> does not require this patch." In such a scenario, remove the JettyVersion registry key before reapplying the fix.
  1. Click Start > Run, type regedit.exe, and click OK.

  2. Navigate to Jetty registry key location.
    • The path in 32-bit Windows is HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Update Manager.
    • The path in 64-bit Windows is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Update Manager.

  3. Delete the JettyVersion registry entry.

  4. Reapply the security fix.

Copyright statements and licenses

The attached open_source_license_VUM-KB-1023962.txt contains the copyright statements and license(s) that apply to various open source software components (or portions thereof) that will be made available to VMware vCenter Update Manager upon installation.  Use of such open source software is pursuant to such open source license terms and your end user license agreement for VMware vCenter Update Manager.

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 9 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 9 Ratings
Actions
KB: